Attackers could hack into any Tinder account using just a contact number, security researcher has revealed. The bug exploited just how the dating service used Facebook’s Account Kit to permit its users to login through their telephone numbers. However, hackers might have used this “convenience” to hack into Tinder accounts using just the contact number of your target.
Facebook explains its Account Kit like a service that may be helpful to let “people quickly use and login towards your app by employing just their cellular phone number or current email address – no password needed.” As part of his latest bug discovery,?Anand Prakash reported the Tinder API wasn’t checking you ID around the token made available from Account Kit through the login process – a flaw which could have already been exploited by attackers to make use of any other app’s access token to take over Tinder accounts.
RelatedThis Bug Hunter Made $2,500 which includes a Bug Say that Took Him 2.5 Minutes with out Testing Tools
“Once in, the attacker could have got anyone\’s access token of Account kit seen in cookies (aks),” he wrote. “Post that, the attacker are able to use the access token (aks) to log into the user\’s Tinder account when using the vulnerable API.”
Using this vulnerability, attacker would get complete control of the marked account.
The attacker basically has full treatments for the victim’s account now? – he will read private chats, full personal information, swipe other user profiles left or right, etc.
The bug has been fixed now by the engineering groups of Facebook and Tinder. Your companies paid the ethical hacker for his responsible bug disclosure. The 24-year-old received?$5,000 from Facebook and $1,250 from Tinder in bug bounty.
RelatedGDPR Calling! Facebook Has Private Data on Over 40% of EU Citizens
–?More technical information of this now-fixed bug can be purchased at Prakash’s Medium post.